To Demand a Ransomware Payment Or Siphon Off Your Intellectual Property?

Transcript

Opening

Hello everyone, and welcome to What's the Problem, the show that explores problems that buyers, practitioners, operators, and leaders in the world of cybersecurity face today.

Today, we are fortunate to have Chandra Pandey join us.

Conversation

Mike Krass: Chandra, say hello to our listeners.

Chandra Pandey: Hi, everyone. I'm pretty excited to be on this show with Mike today, and I'm looking forward to answering some questions.

Mike Krass: Absolutely! And without further ado, let's get into the first question. Chandra, first question here. Why are you qualified to talk about security?

Chandra Pandey: I'll say I'm like someone who has been in the cyber security domain for the last 20-plus years. I will not say that “Hey, I'm a guru. I know everything.” But I know enough to know what are the some of the challenges the industry is facing, how to go after those problems, try to stay ahead of those challenges as well, and how we can keep our customers and partners or any organization head up those challenges, so you don't get trapped into something which you never wanted to deal with.

Mike Krass: All right, I like it. The second question is the same every episode. Chandra, name a problem in the world of cybersecurity that we can kick around a little bit with the listeners today.

Chandra Pandey: Thanks, Mike. If you look into today's world, there are more than 10,000 ransomware attacks you hear daily; some are reported, and some are not. People pay or don't pay for it, but those are being dealt with. But then the other biggest challenge the industry faces is also not being talked about a lot these days, intellectual property theft. If you look at these two challenges, it's not only about what was taken from you, where you are being asked for money, and sometimes you have not. But there is a lot more behind it, and I love to discuss those in detail. Mike, I know you have some questions you want to ask in the middle there.

Mike Krass: You're right. We do hear about these requests for large balloon payments via Bitcoin to decrypt your files and your different systems and points of access. The concept of stealing intellectual property that I would imagine that you could as a bad actor. You could ask for a balloon payment over bitcoin or whatever crypto you want. You could also just sit there and continue to steal intellectual property. An example of it was a couple of years ago, sony, the entertainment company, somebody came in before a new movie release. We decrypted this entire final cut version, hundreds or I should say, 1000s of hours worth of work of film and production and post-production, and everything. They said we're not going to decrypt this file they're releasing unless they give us a payment. But they could have also just as easily said. We'll leak this right onto BitTorrent or the dark web or whatever.

If we're already in your network, we can just run around taking your whole category of intellectual property, all of your films and television that you've got there, and there's nothing you can do to stop us. I'd like to hear more from you on that. How often do you think that is happening where you have these bad actors who have access to your systems and are just lurking and slowly bleeding you dry of all of your intellectual property.

Chandra Pandey: I think that's a great point. You brought up what is happening in the industry because when somebody inside your organization got through, like social engineering or through some phishing email or sending malware to get all the credential breach char through brute force.

If you don't have a proper way of detecting those unwanted people getting into the organization, they create a home inside your organization. They can go and find the electrical properties, do the lateral movement, collect that information, and not only just take it out and put it into some of their balls but then destroy your backup and local encryptions. So now, you can keep on hearing that you have multi extortions going on, but at the same time, this intellectual property is in their hand. Whether you’re doing a silicon design, a movie or creating new medicines, you are in a high-tech company writing a code and creating a new innovative platform. They have taken those intellectual properties. Those actors are also figuring out that there are takers for those. If there are takers who are interested in those intellectual properties, those takers are going to pay not only tens of millions, but sometimes those can be hundreds of millions.

The value can sometimes be in the billions because that is what you are getting out there. That has been billions of investments to get to the point where you have gotten those intellectual property created. Recently, we had heard about the news that there was source code. A huge amount of the source code was collected in one of the big organizations focused on doing R&D and innovation.

Recently, there was news that counterfeits are becoming fraud. The hardware, routers, switches, and firewall are things you have. Think about the amount of work that has gone to create those things. You cannot just put into 10s, 20, and $30 million. Some of those might have multiple years of very innovative and creative work with the intellectual property, which can be hundreds of millions to hundreds of billions of dollars, depending on what that is. If somebody is stealing those and creating the counterfeit, that is a lot more damaging to our economy, not only in the short term but also in the long term. Those are not only just values you create because there is a lot of employment, and then you create a community and economy around because that's something you don't want to do. And it becomes critical for any organization to think about.

When you have such a critical test set, you are investing millions and millions of dollars in creating the innovations. If you look into the US economy, it's all about innovation. If your innovation gets lost, it's not just losing the value of what it was at that point and what it creates. The ecosystem around creates another 100 times the value of that, which is getting lost. And that is something we do not want to be happening. Right now, it is happening. There are not a lot of discussions, Mike, because people look into just like the ransomware, and if somebody can do ransomware, they can steal all of your intellectual property. And that is something we have to look at seriously.

I recently talked with a few potential customers, and they came in. They said, " Hey, look, we are more concerned about our intellectual property counterfeit showing up as well.” So we need to make sure that anything happening in there we in my environment, somebody breaching, we expect that breaching will happen one way or another way. Still, after that, they should not be able to go and do whatever they want in the organization. We have to detect those things in early steps and stop them so that our intellectual property or anything is never taken it out. We must ensure we do not let them do anything and do not want to happen in our environment.

Mike Krass: You also mentioned detection and social engineering at the beginning of this question. I could see a situation where the attack surface is not incredibly broad, but they get into simple systems. I shouldn't marginalize them. They get into systems, like communication systems. You're talking about email, some databases, some chat using slacks or something internally. You talk about social engineering and intellectual property, and I can easily see a situation where the attack surface they get access to isn't that broad. Still, they say, “ You know what? I can go in here, observe, and see that Chandra has a vacation in two weeks.” And so, on a Friday afternoon, I can send an email from Chandra impersonating him, a little bit of social engineering saying, “Hey, I'm running out the door to vacation. I was going to stop at your desk and ask you to look at this design file, the patent submission, or whatever they're observing that they want access to. Can you send it to me quickly, because I'm going to have my iPad at the airport be easy to look at, and give you a final approval or some design comments.”

Even though we don't have access to your design database, I can engineer a situation by not being detected, which means there's no response happening within the organization yet. I'm not detected. I'm running free in a specific siloed part of your business, in my example, the communication silo. I can ask you to give me something, and I don't even have to create a fake email address that uses number one. Instead of the letter I. I am you, I am Chandra, in this case, and they have no reason to believe I'm not. All of a sudden, they say, “Oh, here's a link on our share files being really weird on my iPad. Can you just send me the design specs, a flattened PDF, or do you just send me the raw files, AutoCAD files, or whatever format we're talking about? So I could see that being another situation where the attack doesn't need to go that deep within your organization if they can engineer a situation and communicate it to somebody believable. That's another way the intellectual property could be handed over unknowingly by one of your colleagues.

Chandra Pandey: Because sometimes, and these things that what you pointed out, that is happening is not just something in imagination, it happens that we have seen many times that people are trying to impersonate somebody which they are not. All these email systems you have, like Office 365. It's much easier to get in; we have seen that it's like two places where clients are far away. They are monitoring that exact behavior, and I point out user. A lot of time, you brought up something interesting, and what observation we have seen is people start looking into the client list, or the asset list, what kind of the assets and all that they add and reading into your SharePoint and OneDrive access, and so on so forth, as you pointed out, without even going beyond your initial communication system because they have the access. If somebody had the credential, they could be looking at that as well in there. Detecting those kinds of things is also very important.

In cybersecurity, there are two things you have to always keep in mind; you have to have hygiene, and you have to assume that hygiene you have to keep on making better and better each day. And then the other side is how you detect that something is saying something, but it is not exactly that. Detect those into the early steps and stages as much as possible. So it doesn't go to the last point when the data is exfiltrated. Then you are finding out some of those things might be too late and select to find it out. If the data is gone, it may not sometimes be easy to recover or get destroy. It's always creepy because you have a way of detecting the things in the early steps and stages of any kind of attack in June that things will get through the hygiene, but that does not mean that you don't have to have the good hygiene. These are products like your firewall, antivirus, proxy or gateway, email gateway, web gateway, and security. At the same time, don't assume that that will solve all your problems. Things will get through the hygiene, and that's where you are in the cloud, on-prem remote access, or at your home. You have to have a detection mechanism to detect the things in the early steps. If somebody's credential gets compromised, that should not be the end of the world, but that credential compromise should be detected. Suppose that the user is trying to do something. In that case, somebody starts looking into the SharePoint or your OneDrive, opening the file, or taking the file away, which is not the behavior. You detect it and compromise credentials that these are not the same people. But at the same time, even the behavior-wise, you can detect and say, “You know what, you miss it the first step. But you got in the second step, don't let them take the file away, don't let them start taking the screen.” Because in the financial sector, people are sometimes very smart. Instead of taking the file away, they will be just taking the screenshot and all.

Mike Krass: You don't even know it's been taken.

Chandra Pandey: What you have to do is, even some of those monitoring has to be in the place, whether you are doing it through the power cell or whatever way you are doing it. Those are also being done to ensure that this person is not supposed to see this thing, why this person is opening, or never doing something like this. For example, Chandra is not in the source code every day. Chandra is looking into the source code going into the Bitbucket or GitHub, or wherever it is in their census and recording, NCL is somewhat looking at compromise. You have to take action and say, " Hey, we don't think this is Chandra. Chandra is coming from a place where he does not come from. He's supposed to come from the West part.”. Still, all of a sudden, Chandra is showing up in, let's say, from Florida or Virginia. Most of the time, you brought up something interesting. You see these threats you are talking about. We have seen it. We have seen that sometimes people will happen that email gets compromised, especially Office365. It's allowed to get compromised because many people are on it. It's not only Office365 because many people are using it.

You will see that people will suddenly show up from the cloud providers. And basically, what they're doing is on the cloud provider you are using. They are using a client. They might be coming from anywhere around the world. But they are using a cloud provider to create a client, and that client is where they are coming from and accessing the email. You'll see a lot of that. There's a user in Texas, and then suddenly, you see that people are looking at the file or accessing the car drive from Virginia. That's where a lot of data centers are on the East Coast. You can see that this does not make sense. Many of those things, and these are real things that you talked about, are real things; they always happen every day, millions of times.

Mike Krass: Well, Chandra, I appreciate, and our listeners also appreciate exploring the intellectual property side of ransomware, not focusing on the payment, which seems to get most of the headlines, but more on how are we detecting, how we respond and how we are stopping the theft of intellectual property or confidential and sensitive information. Thank you very much for sharing your experience and your expertise. Let's bring this episode home. The last question we always ask everybody is, tell us about a time you had a terrible haircut?

Chandra Pandey: I'm pretty sure most people had terrible haircuts during the COVID situation because people were scared a lot of time. Those haircut places were not open. So you ask your loved ones to do a haircut, and everybody wants to be creative. If you have kids and they want to be creative as well, and then you end up getting to the point you have a haircut that you don't want, what do you do? You just then get it everything off and start from scratch. It was good that our family members were able to have some fun with me and do some experiments. Hopefully, they learn from it, and I also learned from them. Sometimes, being a source of fun for your family member is not bad, and you will remember that forever.

Mike Krass: Absolutely. I was also willing to receive a family-provided haircut, so I know exactly what you're talking about. I know exactly what you're saying. Well, to our listeners, we have come to the end of this episode. Thank you for listening to What's the Problem, the show that explores problems that buyers, practitioners, operators, and leaders in the cybersecurity world face today. Thanks for listening. Chandra, say goodbye to all of our listeners.

Chandra Pandey: Thank you so much for listening. And I appreciate you, Mike, asking many relevant questions because those are important. As I mentioned, I do not claim to know everything. But we have seen a lot of things out there, what is happening, and my request to any person as well as their organization is to watch out for your critical set of the assets always and stay safe. If we can be of any help, just reach out to Mike and me, and we will be more than happy to help it out.

Mike Krass: Absolutely! And to all of our listeners, we'll have Chandra’s contact info in the show notes and on the blog pages. He'll be easy to find if you have any questions or want to take him up on his offer. Until next time.